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Dedukti is a logical framework based on the All-calculus modulo rewriting, which extends the All- 
calculus with rewrite rules. In this paper, we show how to translate the proofs of a family of HOL 
proof assistants to Dedukti. The translation preserves binding, typing, and reduction. We imple¬ 
mented this translation in an automated tool and used it to successfully translate the OpenTheory 
standard library. 

1 Introduction 

Dedukti is a logical framework for defining logics and expressing proofs in those logics [8]. Following 
the LF legacy [17], it is based on the XYl-calculus modulo rewriting, which extends the XYl-calculus 
with rewrite rules. Cousineau and Dowek [11] showed that functional pure type systems (PTS), a large 
class of calculi that are at the basis of many proof systems, can be embedded in the AFl-calculus modulo 
rewriting in a way that is complete and that preserves reductions (i.e. program evaluation). This led to 
propose Dedukti as a universal proof framework. 

In this paper, we focus on translating the proofs of HOL to Dedukti. HOL refers to a family of 
theorem provers built on a common logical system known as higher-order logic or simple type theory 
[10]. It includes systems such as HOL Light, HOL4, and ProofPower-HOL. These systems are fairly 
popular and a large number of important mathematical results have been formalized in them [15, 16, 29]. 

Universal proof checking 

Using Dedukti as a logical framework serves two goals. First, in the short term, it serves as an alter¬ 
native, independent proof checker, providing an additional layer of confidence over each system. The 
second, longer term goal, is interoperability. Proof systems are becoming increasingly important, both 
in the formalization of mathematics and in software engineering. However, they are usually developed 
separately, with very little interoperability in mind. As a result, it is currently very difficult to reuse a 
proof from one system in another one. Embedding these different systems in a single unified framework 
is the first step to bring them closer together, and opens the way for theory management systems [18, 27] 
to combine their proofs in order to construct and verify larger theories. 

The AH-calculus as a logical framework 

The AH-calculus, also known as LF, is a typed A-calculus with dependent types. Through the Curry- 
Howard correspondence, it can express a wide variety of logics [17]. Several formalizations of HOL in 
LL have been proposed [2, 28, 26]. 
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The main concept behind this correspondence is the “propositions as types” principle. Typically, 
we define a context declaring the types, terms, and judgments of the original logic, in such a way that 
provability in the logic corresponds to type inhabitation in the context. For HOL, the signature would be: 

type : Type 
bool : type 

arrow : type —)■ type —type 
term : type —> Type 

lam : (term a—)• term j3)term (arrowa j8) 
app : term (arrowa j3)term a—)■ term j8 

proof : term bool 
rule_l : ... 

rule_2 : ... 

For each proposition (j) of the logic, we assign a type ||^|| in the AFI-calculus. The provability of the 
proposition (j) corresponds to the inhabitation of the type ||0||. Similarly, we translate proofs as terms 
inhabiting those types, and the correctness of the proof corresponds to the well-typedness of the term. 

However, because the ATI-calculus does not have polymorphism, we cannot translate propositions 
directly as types, as doing so would prevent us from quantifying over propositions for example. Instead, 
for each proposition (j), we have two translations: one translation |(j)| as a term, and another ||(j)|| = 
proof \^\as a type. This correspondence has been successfully used to embed logics in theLF framework 
[17, 14], implemented in Twelf [25]. 

The An-calculus vs. the AlT-calculus modulo rewriting 

An important limitation of LF is that these encodings do not preserve reduction (i.e. program evaluation), 
and therefore it does not preserve equivalence: if M =p M' then \M\ \M'\. For example, the term 

(Ax : a.x)x is encoded as app (lam (Ax : term a.x)) x which is not equivalent to x. This is problematic 
not only because it makes the representation larger and hence less efficient but also because conversion 
proofs may be very long. 

By extending the ATl-calculus with rewrite rules such as 

term (arrow a j8) ^ term a —)■ term j8 , 

we can identify the type term (arrow a j3) with the type term a —)> term jS and thus define a franslafion 
fhaf is lighfer and fhaf preserves reductions. The encoding of fhe ferms becomes more compacf, as 
we represenf A-absfracfions by A-absfracfions, applications by applicafions, efc. For example, fhe ferm 
(Ax : a.x)x is encoded as (Ax : term a.x) x. Such an encoding is impossible in LF for higher-order 
theories such as system F, HOL, or the calculus of constructions. 

Moreover, our translation is modular enough so that we can extend the notion of reduction to the 
proofs of HOL and recover the pure type system nature of HOL [5]. This might be beneficial for several 
reasons: 

1. It gives a reduction semantics for the proofs of HOL. 

2. It allows compressing the proofs further by replacing conversion proofs with reflexivity. 

3. Several other proof systems (Coq, Agda, etc.) are based on pure type systems, so expressing HOL 
as a PTS fits in the large scale of interoperability. 
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HOL and OpenTheory 

The theorem provers of the HOL family (HOL Light, HOL4, ProofPower-HOL, etc.) are built on a 
common logical formalism known as higher-order logic, and have fairly similar core implementations. 

A recurrent issue when trying to retrieve proofs from these systems is that they do not keep a trace of 
their proofs [18, 20, 24]. Following the LCF architecture, they represent their theorems using an abstract 
datatype and thus guarantee their safety without the need to remember their proofs. This approach 
reduces memory consumption but hinders their ability to share proofs. 

Fortunately, several proposals have already been made to solve this problem [18, 24] . Among them is 
the OpenTheory project. It defines a standard format called the article format for recording and sharing 
HOL theorems. An article file contains a sequence of elementary commands to reconstruct proofs. 
Importing a theorem requires only a mechanical execution of the commands. 

The format is limited to the HOL family, and cannot be used to communicate the proofs of Coq 
for example. However, it is an excellent starting point for our translation. Choosing OpenTheory as a 
front-end has several advantages: 

• We cover all the systems of the HOL family that can export their proofs to OpenTheory with a 
single implementation. As of today, this includes HOL Light, HOL4, and ProofPower-HOL. ' 

• The implementation of a theorem prover can change, so the existence of this standard, documented 
proof format is extremely helpful, if not necessary. 

• The OpenTheory project also defines a large common standard theory library, covering the devel¬ 
opment of common datatypes and mathematical theories such as lists and natural numbers. This 
substantial body of theories was used as a benchmark for our implementation. 


Related work 

Several formalizations of HOL in LF have been proposed [2, 26, 28]. To our knowledge, they lack an 
actual implementation of the translation. Other translations have been proposed to automatically extract 
the proofs of HOL to other systems such as Isabelle/HOL [19, 24], Nuprl [23], or Coq [20]. With 
the exception of the implementation of Kalyszyk and Krauss [19], these tools suffer from scalability 
problems. Our translation is lightweight enough to be scalable and provides promising results. The 
implementation of Kalyszyk and Krauss is the first efficient and scalable translation of HOL Light proofs, 
but its target is Isabelle/HOL, a system that, unlike Dedukti, is foundationally very close to HOL Light. 

ProofCert [9] is another project like Dedukti that aims at providing a universal framework for check¬ 
ing proofs. Unlike Dedukti, it is based on sequent calculus. It can handle linear, intuitionistic, and classi¬ 
cal logics. To our knowledge, there are no automated translations of systems like HOL to ProofCert that 
have been implemented yet. 

A project complementary to ours is Coqine [7], which proposes a translation of the calculus of induc¬ 
tive constructions (CIC), the formalism behind Coq, to Dedukti. The translation has been implemented 
in an automated tool that translates the proofs compiled by Coq to Dedukti. It can handle most of the 
features of Coq, and has been used to translate a part of its standard library. 


* Isabelle/HOL can currently read from but not write to OpenTheory. 
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Contributions 

We define a translation of the types, terms and proofs of HOL to Dedukti. We use the rewriting tech¬ 
niques of Cousineau and Dowek [11] to obtain a shallow embedding that is lightweight and modular. 
We implemented this translation in an automated tool called Holide, which automatically translates the 
proofs of HOL written in the OpenTheory format to Dedukti. We used it to successfully translate the 
OpenTheory standard library. 

Outline 

The rest of this paper is organized as follows. Section 2 presents Dedukti and the AlT-calculus modulo 
rewriting. Section 3 presents HOL and the logical system behind it. Section 4 defines the translation of 
HOL to Dedukti. In Section 5, we show that the translation is correct. Section 6 discusses the details of 
our implementation and the results obtained by translating the OpenTheory standard library. Section 7 
discusses some additional applications of rewriting. Finally, Section 8 summarizes and considers future 
work. 

2 Dedukti 

Dedukti is essentially a type checker for the AH-calculus modulo rewriting [8], which extends the AH- 
calculus with rewrite rules. We choose a presentation based on pure type systems [5], which makes no 
syntactic distinction between terms, usually denoted by M or N, and types, usually denoted by A or B. 

We assume countably infinite sets of variables and constants. There are two sorts. Type and Kind. 
The sort Type is the type of types and the sort Kind is the type of Type. We write Xx\ A.M for abstractions 
and MN for applications. The type of functions is written Tbc : A.B, or A —)> B when x does not appear 
free in B. Application is left-associative while the arrow —)■ is right-associative. Terms are considered up 
to a-equivalence. Contexts contain the types of variables while signatures contain the types of constants 
and their rewrite rules. Each rewrite rule is accompanied by a context F to ensure it is well-typed. 

Definition 2.1. The syntax of the AH-calculus modulo rewriting is: 


variables 

x,y 


constants 

c 


sorts 

s 

::= Type Kind 

terms 

M,N,A,B 

::= x\c \ s\Ilx : A.B \ Xx : A.M \ M N 

contexts 

r,A 

::= • r,x : A 

signatures 

£ 

::= • £,c:A|£,[r]M^A 


If 7? is a set of rewrite rules, we write —>r for the induced reduction relation, —for its transitive 
closure, —for its reflexive transitive closure, and =r for its reflexive symmetric transitive closure. 
Given a signature £, we write jSZ for the union of the jS rule with the rewrite rules of £. 

The typing judgments £ | F h M : A are accompanied by context formation judgments £ | F context 
and signature formation judgments £ signature. We write F h M : A and F context instead of £ | F h M : A 
and £ | F context when the signature is not ambiguous. The rules are presented in Figure 1. 

Example 2.2. Let £ be the signature containing 


a : Type,c : a,/ : a —> Type 
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r context {x: A) G F 
r h X : A 


Var 


r context (c : A) G £ 
rhc:A 


Const 


r context 

-Type 

r h Type : Kind 


ri-A:Type r,x:AI-B:5 

-Prod 

rh FLc :A.B :s 


FhM :Ux:A.B rFN:A 

-App 

TFMN: [N/x]B 


£ signature 

- EmptyCtx 

• context 


ri-A:Type T,x.A\-M\B 

-Abs 

TFXx-.A.M-.Ylx-.A.B 


rhM:A 


r h B : Type A =rj; B 

- - -CONV 

TFM:B 


rh A : Type x 

»-varCtx 

r,x : A context 


-EmptySig 

• signature 


£ I • h A : 5 c 0 £ 

-ConstSig 

£, c : A signature 


£|rhM:A £|rh/7:A 

-—-RewriteSig 

£, [r] M ^ signature 


Figure 1: Typing rules of the AlT-calculus 


and the rewrite rule 

[•]/c^ Uy.a.fy^fy. 

The term Xx : fc. xcx is well-typed in £ and has the type fc^fc. Notice that this term would not be 
well-typed without the rewrite rule, even if we replace all occurences of fc by fly : a. /y —)■ fy. 

Dedukti imposes some additional restrictions on the rewrite rules to keep type-checking decidable. 
In particular, the left side of a rewrite rule must belong to the higher-order pattern fragment [2 1 , 22] and 
the free variables of the right side must appear on the left side. Moreover, the reduction relation — 
should be confluent and strongly normalizing. This property is not verified by the system and it is up to 
the user to ensure that it is indeed the case. We discuss this in Section 5. 

3 HOL 

There are many different formulations for higher-order logic. The intuitionistic formulation is based on 
implication and universal quantification as primitive connectives, but the current systems generally use 
a formulation called Qo [1] based on equality as a primitive connective. We take as reference the logical 
system used by OpenTheory [18], which we will now briefly present. 

The terms of the logic are terms of the simply typed A-calculus, with a base type bool representing 
the type of propositions and a type ind of individuals. The terms can contain constant symbols such as 
(=), the symbol for equality, or select, the symbol of choice. The logic supports a restricted form of 
polymorphism, known as ML-style polymorphism, by allowing type variables, such as a or j3, to appear 
in types. For example, the type of (=) is a —)> a —)• bool. 
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hM = M 


T^M=N rhF=G AhM=N 

REFLM -:-:-ABSTHMx - APPTHM 


T'r Xx\A.M = Xx\A.N 


BetaxM 


h {Xx:A.M)x = M 

rh(/) Ahi// 

(r-{W)U(A-{(/)})h(/> = V/ 




Assume 


ruAhFM = G/7 


rh(/) = vA Ah0 


ruA I- Y 


EqMp 


DeductAntiSym 


rh 0 


r[a]h(/»[a] 


SUBST a 


Figure 2: Derivation rules of HOL 


Types can be parameterized through type operators of the form p(Ai,... ,A„). For example, list is a 
type operator of arity 1, and list(bool) is the type of lists of booleans. Type variables and type operators 
are enough to describe all the types of HOL, because bool can be seen as a type operator of arity 0, and 
the arrow —)■ as a type operator of arity 2. Hence the type of (=a) is in fact —)> (o;,—)> (a, bool())). We 
still write A ^ B instead of —)-(A,B) for arrow types, p instead of p() for type operators of arity 0, and 
M = N instead of {=)MN when it is more convenient. 

Definition 3.1. The syntax of HOL is: 


type variables 

a,j8 


type operators 

P 


types 

A,B :: 

= a 1 p(Ai,...,A„) 

term variables 

v,y 


term constants 

c 


terms 

M,N :: 

= x\Xx:A.M\MN\c 


The propositions of the logic are the terms of type bool and the predicates are the terms of type 
A —> bool. We use letters such as 0 or t/r to denote propositions. The contexts, denoted by F or A, are sets 
of propositions, and the judgments of the logic are of the form F h 0. The derivation rules are presented 
in Figure 2. 

Example 3.2. Here is a derivation of the transitivity of equality: if F h v = y and A h y = z, then 

FU A \- x = z- 


H((=)x) = ((=)x) 


Reel 


Ahy = z 


Ah {x=y) = {x = z) 


AppThm 


FUA h X = z 


rhx = y 
-^ EqMp 


HOL supports mechanisms for defining new types and constants in a conservative way. We will not 
consider them here. In addition to the core derivation rules, three axioms are assumed: 

• T]-equality, which states that Xx : A. Mx = M, 

• the axiom of choice, with a predeclared symbol of choice called select, 

• the axiom of infinity, which states that the type ind is infinite. 

It is important to note that from T]-convertibility and the axiom of choice, we can derive the excluded 
middle [6], making HOL a classical logic. 
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4 Translation 

In this section we show how to translate HOL to Dedukti. We define a signature £ containing primitive 
declarations and definitions, and a translation function assigning, to every construct of the logic, a term 
that is well-typed in the signature £. 


HOL Types 


To translate the simple types of HOL, we declare a new Dedukti type called type and three constructors 
bool, ind and arrow. 


type 

Type 

bool 

type 

ind 

type 

arrow 

type 


type 


type 


One should not confuse type, which is the type of Dedukti terms that represent HOL types, with Type, 
which is the type of Dedukti types. The translation of a HOL type as a Dedukti term is defined inductively 
on fhe sfrucfure of fhe fype. 

a Dedukti ferm). For any HOL fype A, we define |A|, fhe 

= a 
= bool 
= ind 

= arrow |A| |B| . 

More generally, if we have an n-ary HOL fype operafor p, we declare a consfanf p of fype type type 

'-V-" 

n 

type, and we translate an instance p (Ai,... ,A„) of this type operator to the term p |Ai | • • • |A„|. 


Definition 4.1 (Translation of a HOL type as 
translation of A as a term, to be 

|a| 

I bool I 

|ind| 

lA 


HOL Terms 

We declare a new dependent type called term indexed by a type, and we identify the terms of type 

term(arrowAB) with the functions of type termA —> termB by adding a rewrite rule. We also declare a 

constant eq for HOL equality and a constant select for the choice operator. 

term : type —Type 

eq : Ha : type, term (arrow a (arrow a bool)) 

select : Ha : type, term (arrow (arrowa bool) a) 

[a : type,j3 : type] term (arrow a j3) term a —> term j3 

The symbol term can be seen as a decoding function that assigns a Dedukti type to every HOL type. The 
translation of a term M of type A will then be a term of type term |A|. 

Definition 4.2 (Translation of a HOL type as a Dedukti type). For any HOL type A, we define 


||A||=term|A|. 
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Definition 4.3 (Translation of a HOL term as a Dedukti term). For any HOL term M, we define \M\, the 
translation of M as a term to be 

|;c| = X 

\MN\ = \M\ |A^| 

\Xx:A.M\ = A;c: ||A||. |M| 
l(=^)l = eq|A| 

Iselect^l = select |A| . 

More generally, for every HOL constant c of type A, if ai,..., are the free type variables that appear 
in A, we declare a new constant c of type 


Hai : type. .. .na„ : type. 

and we translate an instance of this constant by the term c |Ai | • • • |A„|. 

Example 4.4. The term {Xx : a.A:)x is translated to 

\{Xx\ a.x)x\ = (A.r : terma.x)x 

which is convertible to a:. 


HOL Proofs 

We declare a new type proof, to express the proof judgments of HOL. It is a dependent type, indexed by 
the proposition (j) that it is proving. 

proof : term bool —)> Type 

Definition 4.5 (Translation of HOL propositions as Dedukti types). For any HOL proposition (j) (i.e. a 
HOL term of type bool), we define 

11011 = proof 101. 

For any HOL context F = 0i,..., 0„, we define 

l|r|| =/j0i : : I|0„|| 

where ,..., are fresh variables. 

We now fake care of the derivation rules of HOL (Figure 2). In the following, we write FL:,y : A.B 
as a shortcut for Y\x : A. Hy : A.B. 


Equality proofs 

We declare RefI, FunExt, and AppThm: 

RefI : Ha : type.FLc: terma. proof (eqaxx) 

FunExt : Ha, j8 : type. n/,g : term (arrowa j3). 

(FLt: term a. proof (eqjS {fx) (gx))) —> proof (eq (arrow a j8) fg) 

AppThm : Ha, j8 : type.n/,g : term (arrowa j8) .nx,y : term a. 

proof (eq (arrow a j8)/g) —> proof(eqaxy) —^ proof(eqj8 {fx) (gy)) 

The constant FunExt corresponds to functional extensionality , which states that if two functions / and g 
of type A —)• B are equal on all values x of type A, then / and g are equal. We can use it to translate both 
the AbsThm rule and the rj axiom. Finally, since our encoding is shallow, j8-equality can be proved by 
reflexivity. 
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Definition 4.6. The rules Refl, AbsThm, AppThm, and Beta are translated to 


hM = M 


Refl 


= Refl |A| \M\ (where A is the type of M) 


9 

T'rXx\A.M = Xx\A.N 

I 


AbsThm 


AppThm 


ruAhFM = GA 


-Beta 

{Xx-.A.M)x = M 


■■ FunExt |A| |B| \Xx : A.M\ \Xx : A. A| (Ax : |A|. \&\) 
= AppThm |A| |R| |F| |G| |M| |A| |^i| |^ 2 | 

Refl |R| \M\ (where B is the type of M) . 


Boolean proofs 

We deelare the eonstants Prop Ext and EqMp: 

PropExt : Tip,^ : term bool. 

(proofs —proofp) —> (proofs —proof p) —> proof (eq boolp^) 

EqMp : np ,^7 : term bool, proof (eq bool p^)proof pproofs 

The eonstant PropExt eorresponds to propositional extensionality and, together with EqMp, states that 
equality on booleans in HOL behaves like the eonneetive “if and only if'. 

Definition 4.7. The rules ASSUME, DeductAntiSym, and EqMp are translated to 


{(j)}h(j) 


Assume 


(where h,i, is a fresh variable) 


^1 

(r-{t/r})u(A-{(/)})h(/) 


— DeductAntiSym 
V 


PropExt|^i)| \y\ {Xh^: ||t/r||. |^i|) {Xh^ : ||(/)||. |^ 2 |) 


^1 ^2 

ruA h Y 


EqMp 


EqMpl^l \ y \ l^il |^2| • 


Substitution proofs 

The HOL rule SUBST derives r[a] h ^[o] from E h 0. In OpenTheory, the substitution ean substitute 
for both term and type variables but type variables are instantiated first. For the sake of elarity, we split 
this rule in two steps: one for term substitution of the form a = Mi/xi,... ,M„/x„, and one for type 
substitution of the form d =Ai/a\,... ,AmlcCm- In Dedukti, we have to rely on j8-reduetion to express 
substitution. We ean eorreetly translate a parallel substitution M[Mi jxx ,... ,M„/x„] as 

(Axi :Bi. ...Ax„ ...M„ 


where B, is the type of M,-. 
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Definition 4.8. The rule SUBST is translated to 


m^m 


TypeSubst 


r[a]h(/»[a] 


TermSubst 


= (A «! : type. ... A : type. 


= (Xxi : ||Bi II. ... Ay„ : ||B„ 


1^1) |Ai| ... \Ani\ 

|^|)|Mi|...|M„ 


5 Correctness 

The correctness of the translation is expressed by two properties: completeness and soundness. The first 
states that all the generated terms have the correct type. For example, the translation of a term of type A 
has type ||A|| while the translation of a proof of (j) has type \\<p\\. The second states that if a proof term is 
well-typed in Dedukti, then the proof is correct in the original logic. These two properties ensure that we 
can use Dedukti as an independent proof checker: we can use it to re-verify the proofs of OpenTheory, 
and moreover we can be sure that, if a proof is accepted by Dedukti, then it is also valid in OpenTheory. 

Completeness 

Let £ be the signature of HOL containing the declarations and rewrite rules of the previous sections. 
Lemma 5.1. For any HOL type A, 

£ I «! : type, type h |A| : type 

where are the free type variables appearing in A. 

Lemma 5.2. For any HOL term M of type A, 

£ I «! : type,...,a„ : type,xi : ||Ai|| ,...x„ : ||A„|| h |M| : ||A|| 

where oti,..., 0I„ are the free type variables and xi : Ai,... : A„ are the free term variables appearing 

in M. 

Theorem 5.3. For any HOL proof S' of T h 0, 

£ I «! : type,...,a„ : type,xi : ||Ai|| ,...x„ : ||A„||, ||r|| h |^| : ||(/»|| 

where oti,..., 0I„ are the free type variables and xi : Ai,... : A„ are the free term variables appearing 

in S. 

Proof By induction on the structure of S. □ 

Soundness 

Proving the soundness of the embedding is less straightforward than proving completeness. In fact, it is 
closely related to the confluence and normalization properties of the system. We state the results here 
and refer the reader to the works of Assaf, Cousineau, and Dowek [3, 11, 12] for the complete proofs.^ 
Lemma 5.4. The reduction relation — is confluent. 

Lemma 5.5. The reduction relation — is strongly normalizing. 

Theorem 5.6. ^£|||r||l-M:||A|| then M corresponds to a valid proof of T h A in HOL. 

^The terms soundness and completeness are interchanged in Cousineau and Dowek’s paper [11]. 
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Package 

Size (kB) 


Time (s) 

OpenTheory Dedukti 

Translation Verification 

unit 

5 

13 

0.2 

0.0 

function 

16 

53 

0.3 

0.2 

pair 

38 

121 

0.8 

0.5 

bool 

49 

154 

0.9 

0.5 

sum 

84 

296 

2.1 

1.1 

option 

93 

320 

2.2 

1.2 

relation 

161 

620 

4.6 

2.8 

list 

239 

827 

5.7 

3.2 

real 

286 

945 

6.5 

3.1 

natural 

343 

1065 

6.8 

3.2 

set 

389 

1462 

10.2 

5.8 

Total 

1702 

5877 

40.3 

21.6 


Table 1: Translation of the OpenTheory standard library 


6 Implementation 

We implemented our translation in an automated tool called Holide. It works as an OpenTheory virtual 
machine that additionally keeps track of the corresponding proof terms for theorems. The program reads 
a HOL proof written in the OpenTheory article format (. art) and outputs a Dedukti file (. dk) contain¬ 
ing its translation. We can run Dedukti on the generated file fo verify if. All generafed files are linked 
wifh a hand-written file hol.dk confaining fhe signafure £ fhaf we defined in Secfion 4. Our soffware is 
available online af https://www.rocq.inria.fr/deducleam/Holide/. 

HOL proofs are known lo be very large [19, 20, 24], and we needed fo implemenf sharing of proofs, 
terms, and types in order lo reduce them to a manageable size. OpenTheory already provides some form 
of proof sharing but we found it easier to completely factorize the derivations into individual steps. 

We used Holide to translate the OpenTheory standard library. The library is organized into logical 
packages, each corresponding to a theory such as lists or natural numbers. We were able to verify all 
of the generated files. The resulfs are summarized in Table 1. We lisl fhe size of bolh fhe source files 
and fhe files generafed by fhe Iranslafion afler compression using gzip. The reason we use fhe size of fhe 
compressed files for comparison is because if provides a more reasonable measure lhal is less affected 
by synlax formatting and whifespace. We also lisf the time it takes to translate and verify each package. 
These tests were done on a 64-bit Intel Xeon(R) CPU @ 2.67GHz x 4 machine with 4 GB of RAM. 

Overall, the size of the generated files is abouf 3 lo 4 limes larger lhan fhe source files. Given fhaf 
Ihis is an encoding in a logical framework, an increase in fhe size is lo be expected, and we find lhal 
Ihis faclor is very reasonable. There are no similar Iranslalions lo compare fo excepl the one of Keller 
and Werner [20]. The comparison is difficult because they work with a slightly different form of input, 
but they produce several hundred megabytes of proofs. Similary, an increase in verification time is to 
be expected compared to verifying OpenTheory directly, but our results are still very reasonable given 
the nature of the translation. Our time is about 4 times larger than OpenTheory, which takes about 5 
seconds to verify the standard library. It is in line with the scalable translation of Kalyszyk and Krauss 
to Isabelle/HOL, which takes around 30 seconds [19]. In comparison, Keller and Werner’s translation 
takes several hours, although we should note that our work greatly benefited from their experience. 
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7 Extensions 

In this section we show some additional advantages of having a translation which preserves reduction. 


Compressing conversion proofs 

One of the reasons why HOL proofs are so large is that conversion proofs have to traverse the terms 
using the congruence rules AbsThm and AppThm. Since we now prove j3 -reduction using refiexivity, 
large conversion proofs could be reduced to a single refiexivity step, therefore reducing the size of the 
proofs.^ 

Example 7.1. The following proof of f{g{{Xx : A.x)x)) = f{g{x)), 


H/ = / 


Refl / 


^g = g 


Refl g 


h {Xx:A.x)x = x 


Beta 


h g{{Xx : A.x)x) = gx 


AppThm 


^ f{g{{^x : A.x)x)) = f{gx) 


can be translated simply as ReflC(/(gx)), where A —)• B is the type of g and B —)■ C is the type of /. 


HOL as a pure type system 

It turns out that HOL can be seen as a pure type system called Xhol with three sorts [5, 13]. This 
formulation corresponds to intuitionistic higher-order logic. However, this structure is lost in the Qo 
formulation used by the HOL systems. Our shallow embedding can be adapted to recover this structure, 
and thus obtain a constructive and computational version of HOL. 

Instead of equality, we declare implication and universal quantification as primitive connectives, and 
we define what provability means through rewriting. 

imp : term (arrowbool (arrowbool bool)) 
forall : Ha : type, term (arrow (arrow a bool) bool) 

[p : term bool, ^ : term bool] proof(impp^) ^ proof pproof <7 

[a : type, p : term (arrow a bool)] proof (fora I Ip) ^ Ilx : term a. proof (px) 

However, this time we do not even need to declare constants like Refl and AppThm for the derivation 
rules, because they are derivable. Here is a derivation of the introduction and elimination rules for 
implication for example: 

imp_intro : Hp,^ : term bool, (proof p—)> proof ^)—)> proof (impp^) 

= Xp,q : term bool. A/r: (proofp —> proofs) .h 
imp_elim : Hp,^ : term bool, proof (imppi^)proofp—)■ proofs 
= Xp,q : term bool. A/r: proof (imppg) .Ax : proofp. hx 

By translating the introduction rules as A-abstractions, and the elimination rules as applications, we 
recover the reduction of the proof terms, which corresponds to cut elimination in the original proofs. 

^This also applies to conversions involving constant definitions, which we did not cover here but are also assumed as an 
axiom in HOL. 
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As for equality, it is also possible to define it in terms of these connectives. For example, we could 
use the Leibniz definition of equality, which is the one used by Coq: 

eq : ITa : type, term (arrowa (arrowabool)) 

= Aa : type. Ax : term a. Ay : term a. 

forall (arrowa bool) (Jlp : term (arrowa bool). imp [px) {py)) 

We would still need to assume some axioms to prove all the rules of OpenTheory, namely Fun Ext and 
PropExt [20], but at least this definition is closer to that of Coq. Since the Xhol PTS is a strict subset 
of the calculus of inductive constructions, we can adapt our translation to inject HOL directly into an 
embedding of Coq in Dedukti [7], or to combine HOL proofs with Coq proofs in Dedukti [4]. Further 
research into ways to eliminate these axioms (and thus maintain the constructive aspect) when possible 
is the subject of ongoing work. 


8 Conclusion 

We showed how to translate HOL to Dedukti by adapting techniques from Cousineau and Dowek [ 11 ] to 
define an embedding that is sound, complete, and reduction preserving. Using our implementation, we 
were able to translate the OpenTheory standard library and verify it in Dedukti. 


Future work 

The translation we have presented can be improved in several ways. The current implementation suffers 
from a lack of linking: if a package makes use of a type, constant, or theorem defined in another package, 
we do not have a reference to the original definition. This is due to a limitation of the OpenTheory 
article format. In OpenTheory, this problem is resolved by adding a theory management layer, which 
is responsible for composing and linking theories together [18]. It would be beneficial to integrate this 
layer in our translation so that we can properly link the resulting files together. 

While we used several optimizations including term sharing in our implementation, there is still room 
for reducing the time and memory consumption of the translation and the size of the generated files. The 
caching techniques of Kaliszyk and Krauss [ 1 9] could be used in this regard to handle larger libraries 
and formalizations. 

Finally, we can study how to combine the proofs obtained by this translation with the proofs obtained 
from the translation of Coq [7]. That will require a careful examination of the compatibility of the two 
embeddings. First, the types of the two theories must coincide, so that a natural number from HOL is the 
same as a natural number from Coq for example. Second, we must make sure that the resulting theory 
is consistent. For instance, we know that every type in HOL is inhabited, which is inconsistent with the 
existence of empty types in Coq, so we will need to modify the translations to avoid this. A solution is to 
parameterize each HOL type variable by a witness ensuring that it is non-empty. Our translation can be 
adapted for this solution without much trouble. Some work has already been done in this direction [4]. 


Acknowledgments 

We thank Gilles Dowek for his support, as well as Mathieu Boespflug and Chantal Keller for their 
comments and suggestions. 


A. Assafand G. Burel 


87 


References 

[1] Peter B. Andrews (1986); An introduction to mathematical logic and type theory: to truth through proof. 
Academic Press Professional, Inc., San Diego, CA, USA. 

[2] Andrew W. Appel (2001): Foundational Proof-Carrying Code. In: LICS, IEEE Computer Society, Washing¬ 
ton, DC, USA, p. 247-256, doi:10.1109/LICS.2001.932501. 

[3] Ali Assaf (2015): Conservativity of embeddings in the lambda-Pi calculus modulo rewriting. Available at 
https: //hal. archives-ouvertes. fr/hal-01084165. To appear in TLCA 2015. 

[4] Ali Assaf & Raphael Cauderlier (2015): Mixing HOL and Coq in Dedukti (Rough Diamond). Available at 
https; //hal. inria.fr/hal-01141789. To appear in PxTP 2015. 

[5] H. P. Barendregt (1992): Lambda Calculi with Types, Handbook of Logic in Computer Science Vol. 11. Oxford 
University Press. 

[6] Michael Beeson (1985): Foundations of Constructive Mathematics. Springer-Verlag, doi: 10.1007/978-3- 
642-68952-9. 

[7] M. Boespflug & G. Burel (2012); CoqInE: Translating the calculus of inductive constructions into the 
lambda-Pi-calculus modulo. In: PxTP, pp. 44-50. 

[8] M. Boespflug, Q. Carbonneaux & O. Hermant (2012): The lambda-Pi-calculus modulo as a universal proof 
language. In; PxTP, pp. 28-43. 

[9] Zakaria Chihani, Dale Miller & Eabien Renaud (2013): Foundational proof certificates in first-order Logic. 
In Maria Paola Bonacina, editor: Automated Deduction - CADE-24, Lecture Notes in Computer Science 
7898, Springer Berlin Heidelberg, pp. 162-177, doi:10.1007/978-3-642-38574-2_l 1. 

[10] Alonzo Church (1940); A formulation of the simple theory of types. Journal of Symbolic Logic 5(02), pp. 
56-68, doi: 10.2307/2266170. 

[11] Denis Cousineau & Gilles Dowek (2007): Embedding Pure Type Systems in the Lambda-Pi-Calculus Mod¬ 
ulo. In Simona Ronchi Della Rocca, editor: TLCA, LNCS 4583, Springer Berlin Heidelberg, pp. 102-117, 
doi:10.1007/978-3-540-73228-0_9. 

[12] Gilles Dowek (2014); Models and termination of proof-reduction in the XTl-calculus modulo theory. Avail¬ 
able at https;//who.rocq.inria.fr/Gilles.Dowek/Publi/superpi.pdf. 

[13] Herman Geuvers (1993): Logics and type systems. PhD thesis. University of Nijmegen. 

[14] Herman Geuvers & Erik Barendsen (1999): Some logical and syntactical observations concerning the first- 
order dependent type system lambda-P. Mathematical Structures in Computer Science 9(04), pp. 335-359, 
doi:10.1017/S0960129599002856. 

[15] Thomas C. Hales (2007); The Jordan Curve Theorem, Formally and Informally. American Mathematical 
Monthly 114(10), pp. 882-894. 

[16] Thomas C. Hales, John Harrison, Sean McLaughlin, Tobias Nipkow, Steven Obua & Roland Zumkeller 
(2011); A Revision of the Proof of the Kepler Conjecture. In Jeffrey C. Lagarias, editor; The Kepler Conjec¬ 
ture, Springer New York, pp. 341-376, doi:10.1007/978-l-4614-l 129-1_9. 

[17] Robert Harper, Eurio Honsell & Gordon Plotkin (1993); A framework for defining logics. J. ACM 40(1), p. 
143-184, doi:10.1 145/138027.138060. 

[18] Joe Hurd (2011); The OpenTheory Standard Theory Library. In Mihaela Bobaru, Klaus Havelund, Ger¬ 
ard J. Holzmann & Rajeev Joshi, editors: NLM, LNCS 6617, Springer, pp. 177-191, doi: 10.1007/978-3- 
642-20398-5_14. 

[19] Cezary Kaliszyk & Alexander Krauss (2013): Scalable LCF-Style Proof Translation. In Sandrine Blazy, 
Christine Paulin-Mohring & David Pichardie, editors; ITP, LNCS 7998, Springer Berlin Heidelberg, pp. 
51-66, doi: 10.1007/978-3-642-39634-2_7. 


88 


Translating HOL to Dedukti 


[20] Chantal Keller & Benjamin Werner (2010): Importing HOL Light into Coq. In Matt Kaufmann & 
Lawrence C. Paulson, editors: ITP, LNCS 6172, Springer Berlin Heidelberg, pp. 307-322, doi: 10.1007/978- 
3-642-14052-5_22. 

[21] Dale Miller (1991): Unification of simply typed lambda-terms as logic programming. Technical Reports 
(CIS). 

[22] Dale A. Miller (2004): Proofs in higher-order logic. Ph.D. thesis. University of Pennsylvania. 

[23] PavelNaumov,Mark-01iverStehr&Jose Meseguer (2001): The HOL/NuPRL Proof Translator. In Richard J. 
Boulton & Paul B. Jackson, editors: TPHOLs, LNCS 2152, Springer Berlin Heidelberg, pp. 329-345, 
doi: 10.1007/3-540-44755-5_23 . 

[24] Steven Obua & Sebastian Skalberg (2006): Importing HOL into Isabelle/HOL. In Ulrich Furbach & 
Natarajan Shankar, editors: Automated Reasoning, LNCS 4130, Springer Berlin Heidelberg, pp. 298-302, 
doi:10.1007/11814771_27. 

[25] Frank Pfenning & Carsten Schiirmann (1999): System Description: Twelf — A Meta-Logical Framework for 
Deductive Systems. In: CADE-16, LNCS 1632, Springer Berlin Heidelberg, pp. 202-206, doi: 10.1007/3- 
540-48660-7_14. 

[26] Florian Rabe (2010): Representing Isabelle in LF. EPTCS 34, pp. 85-99, doi:10.4204/EPTCS.34.8. arXiv: 
1009.2794. 

[27] Florian Rabe & Michael Kohlhase (2013): A scalable module system. Inf. Comput. 230, pp. 1-54, 
doi:10.1016/j.ic.2013.06.001. 

[28] Carsten Schiirmann & Mark-Oliver Stehr (2006): An Executable Formalization of the HOL/Nuprl Connection 
in the Metalogical Framework Twelf. In Miki Hermann & Andrei Voronkov, editors: LPAR, LNCS 4246, 
Springer Berlin Heidelberg, pp. 150-166, doi:10.1007/11916277_ll. 

[29] Freek Wiedijk (2007): The QED manifesto revisited. Studies in Logic, Grammar and Rhetoric 10(23), pp. 
121-133. 


